简单的逻辑
ida
关键函数
exp
In [5]: flag = list("GEV\odzchpc03")
In [6]: s = ""
...: for i in range(0,len(flag)):
...: if i%3 == 0:
...: s += chr(ord(flag[i])^3)
...: elif i%3 == 1:
...: s += chr((ord(flag[i])^3)-1)
...: elif i%3 == 2:
...: s += chr((ord(flag[i])^3)-2)
...: print s
...:
DES_key_is_10
snake~:./re
Please input your flag:
DES_key_is_10
you got it!
GEV\odzchpc03#
可以得到是des加密,key为10
查看密文是啥
解密
真假flag
数学菜鸟在线百度查了下如何求多项式的最大公因式,说是用到了辗转相除法(欧几里得算法),但是好久都没学数学了
在隔壁老阿姨的帮助下,化简了第二个式子
g(x) = x^3 + x^2 + x +1
= x^2(x+1) + (x+1)
= (x^2 + 1)(x+1)
由于第一个公式化简太繁琐,得到解压密码(x+1)
ida
exp
flag = list("lfkmq:b+C~neoyd-~yoog~eho~boxcmb~kdy}oxw")
two = list("y0y/|hka~ko??ajtoi")
for i in range(0,len(flag)):
flag[i] = chr(ord(flag[i])^0xA)
for i in range(0,len(two)):
two[i] = chr((ord(two[i])^7)-7)
print ''.join(i for i in flag)
print ''.join(i for i in two)
Electroacoustic
upx 脱壳
☁ jactf upx -d run
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2018
UPX 3.95 Markus Oberhumer, Laszlo Molnar & John Reiser Aug 26th 2018
File size Ratio Format Name
-------------------- ------ ----------- -----------
913048 <- 402252 44.06% linux/amd64 run
Unpacked 1 file.
分析
主要是标注的四个函数,根据函数进行构造输入
exp
snake~:./run
1th input:aaaa
2th input:43806
3th input:978
4th input:we11d0ne!
Get your key:faded
source
☁ jactf file source
source: PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
dnSpy
定位主函数
主要流程:将输入的字符串进行加密后与key2进行比较
exp
key1 = list("flag{Thi3_i3+A_wrong+str}")
key2 = [24,90,51,23,66,172,49,34,246,240,25,27,224,88,253,50,254,10,7,31,84,5,12,38,15,16,79,117,238]
seed = 7
flag = ""
for i in range(0,len(key2)):
for j in range(0,255):
if key2[i] == (j + seed ^ ord(key1[seed])) & 0xff:
seed = (seed+1)%25
flag +=chr(0x7f & j)
break
print flag
reversing
ida
将关键跳转修改成如下图所示
动态调试即可得到flag
disk
思路
一共两个图片,看了一下文件的内容,可以看出来要分析第二张图片
可以在详细信息的备注里看到js的颜文字,直接浏览器
总结
没有目标的明天,是元气满满的一天
本博客所有文章除特别声明外,均采用 CC BY-SA 3.0协议 。转载请注明出处!